1. Field
The invention disclosed and claimed herein generally pertains to a system and method for automated adjustment of roles used to control or regulate computer system access. More particularly, the invention pertains to a system and method of the above type wherein an access log is maintained, and is periodically or aperiodially used in determining whether a particular role needs to be refined or adjusted.
2. Description of the Related Art
Inaccurate, obsolete or overly generous (or overly provisioned) authorizations to access a computer system can create significant security risks. Such authorizations can possibly cause malicious data leakage or program execution. In an ideal arrangement, only those users who have a current business requirement to access a given set of resources should possess the respective authorizations which allow them to do so. However, maintaining precise authorizations, particularly in very large IT environments comprising millions of users and permissions, exceeds the capacity of many manual or semi-automated security processes that are currently being used.
Role-based access control (RBAC) is an access policy which is presently used in commercial and other applications and systems. Access in RBAC is controlled at the system level, outside of the user's control. An RBAC configuration controls collections of permissions that may include complex operations, such as e-commerce transactions, but may also control simple operations, such as read or write operations. A role in RBAC generally comprises a set of permissions and a set of users.
While proper RBAC roles match a job function, and job functions typically change only slowly over time, ongoing changes still do occur in both the Information Technology (IT) environment and the personnel of an organization. For example, servers can be decommissioned and new servers can be added or introduced. Organization employees come and go. These natural changes are likely to result in RBAC states becoming obsolete or non-optimal, over time. Accordingly, in order to account for these changes, roles that are initially defined and deployed in an RBAC system should thereafter be assessed and certified, at specified time intervals. Any needed changes to the role structure would also need to be approved.
At present, role certifications tend to be time-consuming and tedious for approvers. Also, roles frequently have excessive access privileges, and the human eye generally does not detect “drift”, or unused permissions and dormant users. Moreover, it is anticipated that future access control systems will increasingly rely on analytical capabilities.